Shostack + Friends Blog Archive


Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA.

So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed?

I think there are two main reasons, the first involving group dynamics, and the second involving group dynamics success catastrophes.

As a group grows, there are lots of dynamics. One of those is that functional groups can get more done than individuals. There are also communication and alignment costs, which is why adding more programmers to a late project makes it later. Christopher Allen has written extensively about this in his posts on Dunbar numbers, such as “The Dunbar Number as a Limit to Group Sizes.”

As a professional networking group hits some critical mass of interested early adopters, those early adopters put in work and get lots of value. Since a goal of the group is networking, they excitedly invite more people, telling them how great it is. The group grows. Newcomers may not invest the same level of energy (after all, things are working great, let’s drink more!) As that happens, the selection functions that controlled early membership: Did you find out about it because you read the right blogs? Did you make time to attend?

As the group grows, the activities and energy that made it work may no longer suit what the group has become. This is why lots of startup founders leave: They’re great in the early stages, but as they build the company, the very skills that made the early days work become dysfunctional. Startups often do this, at great cost, because there’s a board of directors who are focused on a financial outcome. Professional societies, who take their boards from the enthusiastic membership, may not have that same focus. These groups want more of what made them valuable early on.

Thus, the habits and skills that make a group successful can end up holding it back. It’s the catastrophe that follows success, and its why we have a growing list of professional organizations that don’t do quite what some people want. When the groups don’t serve the purpose, some enthusiastic people will set out to fill that gap, either in a market or in a social setting.

So what can you do about it? Me, I plan to drink lots of beer at the next SeaSec.

Photo: Zombarmy06 by Father.Jack.

5 comments on "Fu-Sec, Dunbar Numbers, and Success Catastrophes"

  • Anonymous says:

    dup article

  • dunsany says:

    How about the fact that there are WAY too many of these security groups to attend. Lessee, in the Puget Sound area we have Agora, ISSA, InfraGard, WSA Security SIG, CTIN, the CISO Forum, PSACS… and now SeaSec? Fogeddit. A good many of the security professionals in town don’t attend any of ’em because we’re just too busy… and really, don’t know which one is “the one” for them.

  • Adam says:

    Perhaps Im missing your point. How does “there are too many” lead to “more?”

  • Dunsany says:

    I agree that many of the organizations aren’t fulfilling everyone’s needs, but I do not agree that this should entail creating more meetings. For example, SeaSec says that Agora is too formal. Agora is so informal that I fear anything less formal would be a waste of time. One of the factors I see with good fit with many organizations are timing and location. Some people want to meet during business hours, some can’t. Some can drive far, some can’t. I look at this way, I have x hours I can devote to a professional networking group. To get the most bang for my buck, I’m going to aim for a wide swath of semi-trustworthy services and people with minimal requirements placed on me. For the past ten years, that’s been Agora. As a second choice, I’m a member of a more exclusive group but it provides me higher quality information at the cost of limiting my audience. One broad, one narrow. Quite a bit of recommendations would have come my way before I “spent” more of my time budget on a new group. I’ve burned before and I really don’t have the time to waste again. There’s also the factor of putting energy into a group. It took me maybe a year or so before I built up a solid core of a network within the local community at large. And part of that ramp up was because I started with some groups that were rather siloed from everyone else.

  • Dunsany says:

    At the risk of turning this into one of the comment threads that turns into a big ole boring rant, let me address your specific question. It seems to me that a new security group crops up once or twice a year. Reasons are listed as to why it’s better than all the other groups, etc. Most of them end up gathering a couple dozen people and then stagnates and/or dies. I’ve noticed there are a finite number of valuable security professionals in there area (and I’m glad you’re now part of us) who end up leading (politically or intellectually) these groups. As the groups grow, those resources grow thinner and network together less… until the small groups die and they reform back into the community as a whole. I’d rather see people pour their resources back into the existing groups to make them better than continually fragmenting and confusing the security community at large.

Comments are closed.